Target Security Breached: What You Need to Know

All it takes is one big nasty security breach and the whole
world will be watching you through a microscope. Minneapolis-based Target Corporation (NYSE:
TGT) issued a press release this past Thursday confirming that 40 million
credit and debit card accounts may have been compromised between Nov. 27 and
Dec. 15, 2013.

When I first heard of this it had me shaking my head, and (seconds
later) quickly looking back through my bank statements to see if I made any
purchases in that timeframe.

This is the second largest breach ever reported in the
retail industry.

How could this happen to one of the largest retailers in the
United States?

Target’s security was only breached in stores, when credit
and debit cards were swiped at the cash register. No online security breaches
occurred. There is speculation that sophisticated malware was installed on all card
readers, though knowing what we know, this seems unlikely.

As an ethical hacker who regularly tests the security of
large national corporations, there are two conclusions I can draw from
experience. Looking at a breach of this magnitude, the most logical conclusion
is that data was likely not stolen at the registers because hackers are
lazy in the sense that they will look for the “lowest hanging fruit” first, and installing malicious software on all card readers simultaneously is complicated. There are easier ways to capture this
data. It is also unlikely that data was stolen directly from it’s final location (database, ledger, system of record, etc…) because it only included transactions from retail stores from a specific time period, suggesting the data was compromised while in transition. Therefore, the breach most likely happened somewhere in the myriad of complex systems between the retail stores and whatever final endpoints store and process the transactions.

Assuming this occurred (keep in mind that I’m speculating), this
type of breach indicates the attackers got to Target’s internal network and
captured the data by compromising one or more of the internal systems that
handle the transactions. Such an internal compromise is characteristic of multiple weak points in the organization’s defense.

It is not uncommon for organizations, no matter how polished
they may appear on the outside, to have more lax security practices
internally. For example, many
organizations build systems under the assumption that all authenticated IT staff
can be trusted.

The scary truth: users are typically the weakest security
link in an organization.

Even if all employees could be trusted beyond any shadow of
doubt, there are still areas that can be compromised. For example, an
employee’s computer can be compromised with malware, an employee can click on a
phishing link, or an employee can reuse a password from another system, making
it easier to discover.

We see these issues all the time during security
assessments. This presents a significant problem when the security around
internal systems is built on the assumption that all internal users can be
trusted.

How could Target have prevented this? The public may never know.

Without an insider view on exact details, there is no way to
know could have prevented this. This type of breach was probably not anything
new and likely due to a systemic problem.

Preventing a security breach requires investing in building
solid security programs that focus on both external and internal threats. Corporations must routinely check for and
install software patches. When sensitive
data is at stake, sufficient security controls must be built into every stage
of a system, and thorough security testing should be conducted with every new
software release.

What about the consumers affected?

If your card is among the unlucky forty million cards
compromised, the best advice is to monitor your statements for fraudulent
charges, contact any major credit bureaus to place a credit alert on your
accounts, and obtain a replacement card.

The only sure way avoid this risk during future holiday
seasons is to not use your main credit or debit card for shopping. Temporarily use a pre-paid credit card for the
holiday season, or pay cash for your gifts (only for the ultra-paranoid).

Until more details are revealed and customers come forward
with fraudulent charge reports, we won’t know what will unfold. Our only hope
is that corporations better protect their customers from security breaches in the
future.

Jason Gillam is a Senior Security Consultant with Secure Ideas. If
you are in need of a penetration test or other security consulting services you
can contact him at jgillam@secureideas.com or visit the Secure
Ideas – Professionally Evilsite for services provided.